Initial commit
Add jenkins configuration for sandbox
Change-Id: I117fecfe3af0b14ea4aac7db3211bc3517caf56b
Related-PROD: RE-336
diff --git a/auth.yaml b/auth.yaml
new file mode 100644
index 0000000..ee8d3e5
--- /dev/null
+++ b/auth.yaml
@@ -0,0 +1,43 @@
+---
+jenkins:
+ disableRememberMe: false
+ securityRealm:
+ ldap:
+ configurations:
+ - inhibitInferRootDN: false
+ rootDN: ${CRED_INFRA_LDAP_ROOT}
+ server: ${CRED_INFRA_LDAP_SERVER}
+ managerDN: ${CRED_INFRA_LDAP_USERNAME}
+ managerPasswordSecret: ${CRED_INFRA_LDAP_PASSWORD}
+ displayNameAttributeName: "gecos"
+ authorizationStrategy:
+ globalMatrix:
+ permissions:
+ - "Overall/Administer:mirantis"
+ - "Overall/Administer:mcp-jenkins"
+
+ - "Overall/Read:anonymous"
+
+ - "Job/Build:mirantis"
+
+ - "Job/Cancel:mirantis"
+
+ - "Job/Configure:mirantis"
+
+ - "Job/Create:mirantis"
+
+ - "Job/Delete:mirantis"
+
+ - "Job/Discover:anonymous"
+
+ - "Job/Workspace:mirantis"
+
+ - "Run/Delete:mirantis"
+
+ - "Run/Replay:mirantis"
+
+ - "Run/Update:mirantis"
+
+ - "Gerrit/Retrigger:mirantis"
+
+ - "View/Read:anonymous"
diff --git a/clouds/k8s-infra.yaml.example b/clouds/k8s-infra.yaml.example
new file mode 100644
index 0000000..927fa19
--- /dev/null
+++ b/clouds/k8s-infra.yaml.example
@@ -0,0 +1,53 @@
+---
+jenkins:
+ clouds:
+ - kubernetes:
+ name: k8s-infra
+ connectTimeout: 5
+ containerCapStr: 10
+ credentialsId: k8s-infra-config
+ maxRequestsPerHostStr: 32
+ readTimeout: 15
+ skipTlsVerify: true
+ webSocket: true
+ templates:
+ - name: dind-infra
+ showRawYaml: false
+ containers:
+ - name: docker
+ args: 99d
+ command: sleep
+ envVars:
+ - envVar:
+ key: DOCKER_HOST
+ value: tcp://localhost:2375
+ image: docker:19.03.1
+ livenessProbe:
+ failureThreshold: 0
+ initialDelaySeconds: 0
+ periodSeconds: 0
+ successThreshold: 0
+ timeoutSeconds: 0
+ workingDir: /home/jenkins/agent
+ - name: docker-daemon
+ envVars:
+ - envVar:
+ key: DOCKER_TLS_CERTDIR
+ image: docker:19.03.1-dind
+ livenessProbe:
+ failureThreshold: 0
+ initialDelaySeconds: 0
+ periodSeconds: 0
+ successThreshold: 0
+ timeoutSeconds: 0
+ privileged: true
+
+credentials:
+ system:
+ domainCredentials:
+ - credentials:
+ - file:
+ id: k8s-infra-config
+ fileName: k8s-re-jenkins-us-prod.yaml
+ secretBytes: ${CRED_K8S_RE_JENKINS_CONFIG_CONTENT}
+
diff --git a/clouds/openstack.ic-us.sandbox-ci.yaml.example b/clouds/openstack.ic-us.sandbox-ci.yaml.example
new file mode 100644
index 0000000..0a6f95e
--- /dev/null
+++ b/clouds/openstack.ic-us.sandbox-ci.yaml.example
@@ -0,0 +1,53 @@
+---
+jenkins:
+ clouds:
+ - openstack:
+ name: "IC-US sandbox-ci"
+ credentialsId: ic-us-sandbox-ci
+ endPointUrl: https://ic-us.ssl.mirantis.net:5000/v3
+ zone: RegionOne
+ slaveOptions:
+ availabilityZone: nova
+ bootSource:
+ image:
+ name: bionic-server-cloudimg-amd64-20200218
+ floatingIpPool: public
+ fsRoot: /var/lib/jenkins
+ hardwareId: d4d834ab-07e3-4fa3-8134-f4001d642bbd
+ instancesMin: 1
+ instanceCap: 1
+ keyPairName: sandbox-ci
+ launcherFactory:
+ ssh:
+ credentialsId: sandbox-ci-agent
+ networkId: jenkins
+ securityGroups: jenkins-agent
+ templates:
+ - name: sandbox-ci-agent-dynamic
+ labels: 'dynamic docker libvirt'
+ slaveOptions:
+ fsRoot: /home/jenkins
+ bootSource:
+ image:
+ name: bionic-jenkins-agent-amd64-20200603
+ userDataId: sandbox-ci-agent-cloudinit
+
+unclassified:
+ globalConfigFiles:
+ configs:
+ - openstackUserData:
+ id: sandbox-ci-agent-cloudinit
+ name: sandbox-ci-agent-cloudinit
+ comment: sandbox-ci-agent-cloudinit
+ content: >
+ #cloud-config
+
+ system_info:
+ default_user:
+ name: jenkins
+ gecos: "Jenkins CI agent"
+ lock_passwd: true
+ runcmd:
+ - [chmod, -x, /etc/update-motd.d/50-motd-news]
+ - [chmod, -x, /etc/update-motd.d/80-livepatch]
+
diff --git a/credentials/artifactory.yaml b/credentials/artifactory.yaml
new file mode 100644
index 0000000..1661450
--- /dev/null
+++ b/credentials/artifactory.yaml
@@ -0,0 +1,9 @@
+---
+credentials:
+ system:
+ domainCredentials:
+ - credentials:
+ - usernamePassword:
+ id: artifactory
+ username: jenkins
+ password: ${CRED_ARTIFACTORY_PASSWORD}
diff --git a/credentials/infra.yaml b/credentials/infra.yaml
new file mode 100644
index 0000000..61ccc95
--- /dev/null
+++ b/credentials/infra.yaml
@@ -0,0 +1,27 @@
+---
+credentials:
+ system:
+ domainCredentials:
+ - credentials:
+ - basicSSHUserPrivateKey:
+ id: sandbox-ci
+ username: sandbox-ci
+ description: >
+ Jenkins master SSH key
+ privateKeySource:
+ directEntry:
+ privateKey: ${CRED_SANDBOX_CI_SSH_KEY}
+ - basicSSHUserPrivateKey:
+ id: sandbox-ci-agent
+ username: jenkins
+ description: >
+ Jenkins master SSH key for agents
+ privateKeySource:
+ directEntry:
+ privateKey: ${CRED_SANDBOX_CI_SSH_KEY}
+ - usernamePassword:
+ id: jjb-update
+ username: sandbox-jenkins
+ password: ${CRED_JJB_UPDATE_PASSWORD}
+ description: |
+ Credentials to update jenkins-jobs
diff --git a/credentials/sandbox-ci.yaml b/credentials/sandbox-ci.yaml
new file mode 100644
index 0000000..37d618b
--- /dev/null
+++ b/credentials/sandbox-ci.yaml
@@ -0,0 +1,14 @@
+---
+credentials:
+ system:
+ domainCredentials:
+ - credentials:
+ - openstackV3:
+ id: ic-us-sandbox-ci
+ userName: sandbox-ci
+ password: ${CRED_IC_US_SANDBOX_CI_PASSWORD}
+ projectName: infra-sandbox
+ projectDomain: default
+ userDomain: ldap_mirantis
+ description: |
+ InternalCloud Openstack V3
diff --git a/jenkins.yaml b/jenkins.yaml
new file mode 100644
index 0000000..72b8d08
--- /dev/null
+++ b/jenkins.yaml
@@ -0,0 +1,67 @@
+---
+jenkins:
+ agentProtocols:
+ - "JNLP4-connect"
+ - "Ping"
+ crumbIssuer:
+ standard:
+ excludeClientIPFromCrumb: true
+ markupFormatter:
+ rawHtml:
+ disableSyntaxHighlighting: false
+ mode: EXCLUSIVE
+ numExecutors: 1
+ quietPeriod: 5
+ scmCheckoutRetryCount: 0
+ slaveAgentPort: 50000
+ remotingSecurity:
+ enabled: true
+ primaryView:
+ list:
+ columns:
+ - "status"
+ - "weather"
+ - "jobName"
+ - "lastSuccess"
+ - "lastFailure"
+ - "lastDuration"
+ - "buildButton"
+ jobFilters:
+ - buildStatusFilter:
+ building: true
+ inBuildQueue: false
+ includeExcludeTypeString: "includeMatched"
+ neverBuilt: false
+ name: "Running"
+ globalNodeProperties:
+ - envVars:
+ env:
+ - key: K8S_CLUSTER
+ value: 'k8s-infra'
+ - key: GIT_AUTHOR_NAME
+ value: 'Sandbox CI'
+ - key: GIT_AUTHOR_EMAIL
+ value: 'infra@sandbox.mirantis.net'
+ - key: GIT_COMMITTER_NAME
+ value: 'Sandbox CI'
+ - key: GIT_COMMITTER_EMAIL
+ value: 'infra@sandbox.mirantis.net'
+
+security:
+ apiToken:
+ usageStatisticsEnabled: false
+ globalJobDslSecurityConfiguration:
+ useScriptSecurity: true
+ copyartifact:
+ mode: PRODUCTION
+
+groovy:
+ - file: /var/jenkins_home/casc/scripted.groovy
+
+unclassified:
+ # usageStatistics: false # JENKINS-54662
+ globalDefaultFlowDurabilityLevel:
+ durabilityHint: PERFORMANCE_OPTIMIZED
+ location:
+ adminAddress: "Sandbox CI <infra@sandbox.mirantis.net>"
+ url: "https://jenkins.sandbox.mirantis.net/"
diff --git a/plugins/CSP.syml b/plugins/CSP.syml
new file mode 100644
index 0000000..4a59696
--- /dev/null
+++ b/plugins/CSP.syml
@@ -0,0 +1,2 @@
+CSP:
+ policy: "sandbox allow-scripts; default-src 'self'; frame-src 'self' www.googletagmanager.com; font-src 'self' fonts.gstatic.com; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' maxcdn.bootstrapcdn.com fonts.googleapis.com;"
diff --git a/plugins/gerrit-trigger.syml b/plugins/gerrit-trigger.syml
new file mode 100644
index 0000000..2d48a80
--- /dev/null
+++ b/plugins/gerrit-trigger.syml
@@ -0,0 +1,18 @@
+---
+
+GerritTrigger:
+ numberOfReceivingWorkerThreads: 3
+ numberOfSendingWorkerThreads: 1
+ replicationCacheExpirationInMinutes: 360
+ servers:
+ mcp-gerrit:
+ noConnectionOnStartup: false
+ gerritHostName: sandbox-gerrit
+ gerritFrontEndUrl: https://gerrit.sandbox.mirantis.net/
+ gerritUserName: sandbox-jenkins
+ gerritEMail: infra@sandbox.mirantis.net
+ gerritAuthKeyFile: /var/jenkins_home/.ssh/id_rsa
+ buildCurrentPatchesOnly:
+ abortNewPatchsets: false
+ abortManualPatchsets: false
+ abortSameTopic: false
diff --git a/plugins/global-libraries.yaml.example b/plugins/global-libraries.yaml.example
new file mode 100644
index 0000000..b3967b5
--- /dev/null
+++ b/plugins/global-libraries.yaml.example
@@ -0,0 +1,13 @@
+---
+unclassified:
+ globalLibraries:
+ libraries:
+ - name: jps
+ retriever:
+ modernSCM:
+ scm:
+ git:
+ credentialsId: github-up
+ remote: https://github.com/Mirantis/jps.git
+ traits:
+ - gitBranchDiscovery
diff --git a/plugins/hidden-warnings.syml b/plugins/hidden-warnings.syml
new file mode 100644
index 0000000..00c3e56
--- /dev/null
+++ b/plugins/hidden-warnings.syml
@@ -0,0 +1,4 @@
+---
+
+UpdateSiteWarnings:
+ SECURITY-248: false
diff --git a/plugins/script-security.yaml b/plugins/script-security.yaml
new file mode 100644
index 0000000..76f8dc3
--- /dev/null
+++ b/plugins/script-security.yaml
@@ -0,0 +1,20 @@
+---
+# yamllint disable rule:line-length
+security:
+ scriptApproval:
+ approvedSignatures:
+ - "field hudson.util.FormValidation kind"
+ - "field java.util.ArrayList size"
+ - "method groovy.json.JsonSlurperClassic parseText java.lang.String"
+ - "method hudson.model.Executor interrupt hudson.model.Result"
+ - "method hudson.model.Run getExecutor"
+ - "method io.jenkins.plugins.casc.ConfigurationAsCode configure java.lang.String[]"
+ - "method io.jenkins.plugins.casc.ConfigurationAsCode doCheckNewSource java.lang.String"
+ - "method io.jenkins.plugins.casc.ConfigurationAsCode getStandardConfig"
+ - "method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper getRawBuild"
+ - "new groovy.json.JsonSlurperClassic"
+ - "new java.lang.RuntimeException java.lang.String"
+ - "staticField groovy.io.FileType FILES"
+ - "staticMethod groovy.json.JsonOutput toJson java.lang.Object"
+ - "staticMethod io.jenkins.plugins.casc.ConfigurationAsCode get"
+ - "staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods asBoolean java.util.regex.Matcher"
diff --git a/plugins/simple-theme.yaml b/plugins/simple-theme.yaml
new file mode 100644
index 0000000..b09d054
--- /dev/null
+++ b/plugins/simple-theme.yaml
@@ -0,0 +1,6 @@
+---
+unclassified:
+ simple-theme-plugin:
+ elements:
+ - cssUrl:
+ url: "/userContent/theme/material-blue-grey.css"
diff --git a/scripted.groovy b/scripted.groovy
new file mode 100644
index 0000000..8815e73
--- /dev/null
+++ b/scripted.groovy
@@ -0,0 +1,158 @@
+#!groovy
+@Grab('org.yaml:snakeyaml:1.17')
+import jenkins.model.Jenkins;
+import jenkins.model.GlobalConfiguration
+import net.sf.json.JSONArray;
+import net.sf.json.JSONObject
+import org.yaml.snakeyaml.Yaml
+import io.jenkins.plugins.casc.ConfigurationAsCode
+import jenkins.security.UpdateSiteWarningsConfiguration
+
+Yaml parser = new Yaml()
+
+def casc = ConfigurationAsCode.get()
+def configPath = casc.getStandardConfig()[0]
+def symlFiles = new FileNameFinder().getFileNames(configPath, '**/*.syml', '.**/ **/.*')
+def configs = []
+symlFiles.each {
+ configs = configs + parser.load((it as File).text)
+}
+
+class Globals {
+ public static Boolean compareObjects( Object a, b) {
+ return Jenkins.XSTREAM.toXML(a) == Jenkins.XSTREAM.toXML(b)
+ }
+}
+
+class UpdateSiteWarnings {
+ UpdateSiteWarnings() {}
+ Boolean changed = false
+ def instance = Jenkins.instance
+ void configure(params) {
+ def config = GlobalConfiguration.all().get(UpdateSiteWarningsConfiguration.class)
+ def _config = new UpdateSiteWarningsConfiguration()
+
+ _config.configure(null, JSONObject.fromObject(params))
+ if (! Globals.compareObjects(config, _config)) {
+ config.configure(null, JSONObject.fromObject(params))
+ changed = true
+ }
+ _config = null
+ }
+}
+
+class CSP {
+ CSP() {}
+ Boolean changed = false
+ def instance = Jenkins.instance
+ void configure(param) {
+ String currentPolicy = System.getProperty("hudson.model.DirectoryBrowserSupport.CSP")
+ String newPolicy = param.policy.trim()
+ if ( currentPolicy != newPolicy ){
+ System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", newPolicy)
+ changed = true
+ }
+ }
+}
+
+class GerritTrigger {
+ GerritTrigger() {}
+
+ def instance = Jenkins.instance
+ Boolean changed = false
+ def defaultServerParam = [
+ noConnectionOnStartup: false,
+ gerritBuildStartedVerifiedValue: 0,
+ gerritBuildSuccessfulVerifiedValue: 1,
+ gerritBuildFailedVerifiedValue: -1,
+ gerritBuildUnstableVerifiedValue: 0,
+ gerritBuildNotBuiltVerifiedValue: 0,
+ gerritBuildStartedCodeReviewValue: 0,
+ gerritBuildSuccessfulCodeReviewValue: 0,
+ gerritBuildFailedCodeReviewValue: 0,
+ gerritBuildUnstableCodeReviewValue: -1,
+ gerritBuildNotBuiltCodeReviewValue: 0,
+ gerritVerifiedCmdBuildStarted:
+ "gerrit review <CHANGE>,<PATCHSET> --message 'Build Started <BUILDURL> <STARTED_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>",
+ gerritVerifiedCmdBuildSuccessful:
+ "gerrit review <CHANGE>,<PATCHSET> --message 'Build Successful <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>",
+ gerritVerifiedCmdBuildFailed:
+ "gerrit review <CHANGE>,<PATCHSET> --message 'Build Failed <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>",
+ gerritVerifiedCmdBuildUnstable:
+ "gerrit review <CHANGE>,<PATCHSET> --message 'Build Unstable <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>",
+ gerritVerifiedCmdBuildNotBuilt:
+ "gerrit review <CHANGE>,<PATCHSET> --message 'No Builds Executed <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>",
+ verdictCategories: [
+ [ verdictValue: 'Code-Review', verdictDescription: 'Code Review' ],
+ [ verdictValue: 'Verified', verdictDescription: 'Verified' ],
+ ]
+ ]
+
+ Boolean compareObjects( Object a, b) {
+ String aXML = Jenkins.XSTREAM.toXML(a).replaceAll(/\{AQA[^\}]+\}/) {
+ hudson.util.Secret.decrypt(it) }
+ String bXML = Jenkins.XSTREAM.toXML(b).replaceAll(/\{AQA[^\}]+\}/) {
+ hudson.util.Secret.decrypt(it) }
+ return aXML == bXML
+ }
+
+ void configure(params) {
+ if ( Jenkins.instance.pluginManager.activePlugins.find { it.shortName == "gerrit-trigger" } == null ) {
+ return
+ }
+ def gerritPlugin = Jenkins.instance.getPlugin(com.sonyericsson.hudson.plugins.gerrit.trigger.PluginImpl.class);
+
+ // Configure common parameters
+ def pluginConfig = gerritPlugin.getPluginConfig()
+ def _pluginConfig = new com.sonyericsson.hudson.plugins.gerrit.trigger.config.PluginConfig()
+
+ _pluginConfig.setValues(JSONArray.fromObject(params))
+ if (! compareObjects(pluginConfig, _pluginConfig)) {
+ pluginConfig.setValues(JSONArray.fromObject(params))
+ changed = true
+ }
+ _pluginConfig = null
+
+ // Configure servers
+ params.servers.each { _name, _params ->
+ def __params = defaultServerParam + _params
+ def values = JSONArray.fromObject(__params)
+ def server = gerritPlugin.getServer(_name)
+
+ if (! server) {
+ server = new com.sonyericsson.hudson.plugins.gerrit.trigger.GerritServer(
+ _name, __params.noConnectionOnStartup)
+ }
+ def config = server.getConfig()
+ def _server = new com.sonyericsson.hudson.plugins.gerrit.trigger.GerritServer(
+ _name, __params.noConnectionOnStartup)
+ def _config = _server.getConfig()
+ _config.setValues(values)
+ _server.setConfig(_config)
+ if (! compareObjects(server, _server)) {
+ changed = true
+ if ( gerritPlugin.containsServer(_name) ) {
+ gerritPlugin.removeServer(gerritPlugin.getServer(_name))
+ }
+ gerritPlugin.addServer(_server)
+ _server.start()
+ if (! __params.noConnectionOnStartup) {
+ _server.startConnection()
+ }
+ }
+ }
+ }
+}
+
+configs.each { params ->
+ params.each { _name, _params ->
+ def clazz = Class.forName(_name)
+ if (clazz) {
+ def act = clazz.newInstance()
+ act.configure(_params)
+ if (act.changed) {
+ act.instance.save()
+ }
+ }
+ }
+}
diff --git a/views/all.yaml b/views/all.yaml
new file mode 100644
index 0000000..e2dede7
--- /dev/null
+++ b/views/all.yaml
@@ -0,0 +1,5 @@
+---
+jenkins:
+ views:
+ - all:
+ name: "all"
diff --git a/views/infra.yaml b/views/infra.yaml
new file mode 100644
index 0000000..d28baf2
--- /dev/null
+++ b/views/infra.yaml
@@ -0,0 +1,7 @@
+---
+# yamllint disable rule:line-length
+jenkins:
+ views:
+ - list:
+ name: Infra
+ includeRegex: "^infra\\..*"
diff --git a/views/running.yaml b/views/running.yaml
new file mode 100644
index 0000000..1823201
--- /dev/null
+++ b/views/running.yaml
@@ -0,0 +1,11 @@
+---
+jenkins:
+ views:
+ - list:
+ jobFilters:
+ - buildStatusFilter:
+ building: true
+ inBuildQueue: false
+ includeExcludeTypeString: "includeMatched"
+ neverBuilt: false
+ name: "Running"